Release/0.6.0

.github/dependabot.yml

@@ -4,26 +4,35 @@
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
 version: 2
+
+multi-ecosystem-groups:
+  # Consolidate version updates into a single PR
+  version-updates:
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
 updates:
   # Enable version updates for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
-    schedule:
-      # Check for updates to GitHub Actions every week
-      interval: "weekly"
-    groups:
-      # Group all GitHub Actions version updates together
-      actions:
-        patterns:
-          - "*"
+    cooldown:
+      default-days: 7
+    patterns: ["*"]
+    multi-ecosystem-group: "version-updates"
 
   # Enable version updates for pre-commit hooks
   - package-ecosystem: "pre-commit"
     directory: "/"
-    schedule:
-      interval: "weekly"
-    groups:
-      precommit-hooks:
-        # Group all pre-commit hook version updates together
-        patterns:
-          - "*"
+    cooldown:
+      default-days: 7
+    patterns: ["*"]
+    multi-ecosystem-group: "version-updates"
+
+  # Enable version updates for uv
+  - package-ecosystem: "uv"
+    directory: "/"
+    cooldown:
+      default-days: 7
+    patterns: ["*"]
+    multi-ecosystem-group: "version-updates"

.github/workflows/changelog.yml

@@ -1,3 +1,5 @@
+# Inspired by the changelog-check-action (https://github.com/tarides/changelog-check-action)
+
 name: Check Changelog
 on:
   pull_request:
@@ -13,16 +15,36 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  CHANGELOG: CHANGELOG.md
+  BASE_REF: ${{ github.base_ref }}
+  # Has no changelog label
+  HAS_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'no changelog') }}
+
 jobs:
   check-changelog:
     name: Verify Changelog Updated
     runs-on: ubuntu-latest
-    # for labeled/unlabeled actions, only run if it involves the "no changelog" label
+    # For labeled/unlabeled actions, only run if it involves the "no changelog" label
     if: >
       (contains(github.event.action, 'label') && github.event.label.name == 'no changelog')
       || ! contains(github.event.action, 'label')
     steps:
-      - name: Check changelog
-        uses: tarides/changelog-check-action@v3
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
         with:
-          changelog: CHANGELOG.md
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Check changelog
+        run: |
+          if ${HAS_LABEL}; then
+            echo "Check passes, since 'no changelog' label is set"
+            exit 0
+          elif git diff --exit-code "origin/${BASE_REF}" -- "${CHANGELOG}"; then
+            echo "Error: User-visible changes should come with an entry in the changelog."
+            echo "For changes not user-visible, add the 'no changelog' label to override this behavior."
+            exit 1
+          else
+            echo "Check passes, changes detected in ${CHANGELOG}"
+          fi

.github/workflows/codeql.yml

@@ -19,11 +19,6 @@ on:
   schedule:
     - cron: '34 21 * * 1'
 
-permissions:
-  contents: read
-  security-events: write
-  pull-requests: read
-
 concurrency:
   # Cancel existing job(s) for workflow when a new one is queued
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -67,7 +62,9 @@ jobs:
             # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -77,7 +74,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463  # v4.36.1
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -106,6 +103,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463  # v4.36.1
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/pr-check.yml

@@ -17,20 +17,34 @@ jobs:
   validate-gitflow:
     name: Validate GitFlow branch rules
     runs-on: ubuntu-latest
-
+    env:
+      HEAD_REF: ${{ github.head_ref }}
     steps:
       - name: Check PRs to main
         if: github.base_ref == 'main'
         run: |
-          if [[ ! ${{ github.head_ref }} =~ ^(release|hotfix)/.+$ ]]; then
+          if [[ "$HEAD_REF" =~ ^(release|hotfix)/ ]]; then
+            echo "PASS: PRs from release and hotfix branches can target main"
+            exit 0
+          elif [[ ${HEAD_REF} =~ ^dependabot/ ]]; then
+            echo "ERROR: Cannot directly merge Dependabot updates"
+            echo "Add desired updates to a release, hotfix, or feature branch"
+            exit 1
+          else
             echo "ERROR: PRs targeting main must come from a release or hotfix branch"
             exit 1
           fi
 
       - name: Check PRs to develop
         if: github.base_ref == 'develop'
         run: |
-          if  [[ ${{ github.head_ref }} != "main" && ! ${{ github.head_ref }} =~ ^feature/.+$ ]]; then
-            echo "ERROR: PRs targeting develop must come from main or a feature branch"
+          if [[ "$HEAD_REF" = "main" || "$HEAD_REF" =~ ^feature/ ]]; then
+            echo "PASS: PRs from main and feature branches can target develop"
+            exit 0
+          elif [[ "$HEAD_REF" =~ ^dependabot/ ]]; then
+            echo "PASS: PRs from Dependabot updates can target develop"
+            exit 0
+          else
+            echo "ERROR: PRs targeting develop must come from main, Dependabot updates, or a feature branch"
             exit 1
           fi

.github/workflows/python-publish.yml

@@ -1,46 +1,43 @@
-# This workflow will upload a Python Package  when a release is created
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
-
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+# This workflow will upload a Python package using uv when a release is published
+# Adapted from: https://docs.astral.sh/uv/guides/integration/github/#publishing-to-pypi
 
 name: Upload Python Package
 
 on:
-  # normal behavior: run when a new release is created
+  # normal behavior: run when a new release is published
   release:
     types: [published]
-  # allow manually running on main (restriction within job)
+  # allow running manually on main (restriction within job)
   workflow_dispatch:
 
-permissions:
-  contents: read
+concurrency:
+  # Cancel existing job(s) for workflow when a new one is queued
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   pypi-publish:
-    # Adapted from https://docs.astral.sh/uv/guides/integration/github/#publishing-to-pypi
     name: Upload release to PyPI
     runs-on: ubuntu-latest
     environment:
       name: pypi
       url: https://pypi.org/project/viapy/
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
-    if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.ref == 'main')
+      contents: read
+    if: github.event_name == 'release' || github.ref_name == 'main'
     steps:
-      - uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v.8.2.0
+        with:
+          enable-cache: false
       - name: Install Python 3.12
         run: uv python install 3.12
       - name: Build package
         run: uv build
-      # Check that basic features work and we didn't miss to include crucial files
-      - name: Smoke test (wheel)
-        run: uv run --isolated --no-project --with dist/*.whl tests/smoke_test.py
-      - name: Smoke test (source distribution)
-        run: uv run --isolated --no-project --with dist/*.tar.gz tests/smoke_test.py
       - name: Publish package
-        uses: uv publish
+        run: uv publish

.github/workflows/ruff-checks.yml

@@ -17,11 +17,15 @@ concurrency:
 
 jobs:
   ruff:
+    name: Run Ruff checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
       - name: Run Ruff linter
-        uses: astral-sh/ruff-action@v3
+        uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b  #v4.0.0
         with:
           args: "check --output-format=github"
       - name: Run Ruff formatter

.github/workflows/sphinx-docs-coverage.yml

@@ -23,10 +23,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install uv and Python version
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v.8.2.0
         with:
           python-version: ${{ env.DOCS_PYTHON_VERSION }}
 

.github/workflows/unit-tests.yml

@@ -38,10 +38,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install uv and Python version
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v.8.2.0
         with:
           python-version: ${{ matrix.python }}
 
@@ -67,7 +69,7 @@ jobs:
 
       # Only upload test coverage for Python 3.12 (3 reports total)
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354  # v6.0.1
         if: matrix.python == '3.12'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.gitignore

@@ -73,9 +73,6 @@ target/
 # Jupyter Notebook
 .ipynb_checkpoints
 
-# pyenv
-.python-version
-
 # celery beat schedule file
 celerybeat-schedule
 

.pre-commit-config.yaml

@@ -5,7 +5,7 @@
 repos:
   # Ruff Python linter and formatter (configs in pyproject.toml)
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.13
+    rev: 0671d8ab202c4ac093b78433ae5baf74f3fc7246  # frozen: v0.15.15
     hooks:
       # Run the linter
       - id: ruff-check
@@ -14,7 +14,7 @@ repos:
       - id: ruff-format
   # mdformat for formatting Markdown files
   - repo: https://github.com/hukkin/mdformat
-    rev: 1.0.0
+    rev: 2d496dbc18e31b83a1596685347ffe0b6041daf0  # frozen: 1.0.0
     hooks:
       - id: mdformat
         # Optionally add plugins
@@ -23,20 +23,20 @@ repos:
           - mdformat-frontmatter  # support GitHub front-matter
   # yamlfmt for formatting YAML files
   - repo: https://github.com/google/yamlfmt
-    rev: v0.21.0
+    rev: b5ca1890231d5e1e5181fef75a1be609d1e25029  # frozen: v0.21.0
     hooks:
       - id: yamlfmt
   # Codespell for spell checking
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.2
+    rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a  # frozen: v2.4.2
     hooks:
       - id: codespell
         additional_dependencies:
           - tomli  # For Python 3.10
         exclude_types: ["css", "html", "javascript", "json"]
   # Some out-of-the-box file checks
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # frozen: v6.0.0
     hooks:
       # Check for files with merge conflict strings
       - id: check-merge-conflict
@@ -53,12 +53,18 @@ repos:
         exclude: "docs/"
   # Check uv.lock file is up to date
   - repo: https://github.com/astral-sh/uv-pre-commit
-    # uv version.
-    rev: 0.11.14
+    # uv version
+    rev: 3e7518446022606defbcdadcf8170a40cc680a8c  # frozen: 0.11.18
     hooks:
       - id: uv-lock
   # Validate GitHub Actions workflow files
   - repo: https://github.com/mpalmer/action-validator
-    rev: v0.9.0
+    rev: 76a805bbfcba3506d6cdb4bba1810ab504e0d72b  # frozen: v0.9.0
     hooks:
       - id: action-validator
+  # Security-focused GitHub Actions static analysis tool
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: 9257c6050c0261b8c57e712f632dc4a8010109a9  # frozen: v1.25.2
+    hooks:
+      - id: zizmor
+        args: [--fix=safe]  # enable safe fixes

.python-version

@@ -0,0 +1,2 @@
+# Pinned python version for development (used by uv)
+3.12